Klez overtakes SirCam in virus stakes

The Klez.h virus only surfaced in April yet already it has overtaken SirCam as the most virulent worm ever, thanks to a clever mechanism designed to spread confusion

Klez.h appears to be overtaking SirCam as the most virulent computer virus to date. This particular version of the virus surfaced in April, and is also known as Klez.g, Klez.h and Klez.k, depending on the security advisory that's referring to it.

According to antivirus outsourcing firm Messagelabs, which scans emails for corporate clients, Klez.h overtook SirCam on Sunday and continues to spread, with the company's servers blocking up to 20,000 copies every working day. To date, Messagelabs has stopped over 800,000 copies of Klez.h.

The remarkable success of Klez.h is largely down to the different methods it uses to spread. "There are a lot of people on the Internet without any virus protection wtatsoever, and they tend to avoid viruses by recognising subject lines and content," said Alex Shipp, antivirus technologist at Messagelabs. "But with Klez.h this approach does not work."

The problem is that Klez.h arrives in an email message with one of 120 possible subject lines. There are 18 different standard subject headings, including "let's be friends", "meeting notice", "some questions", and "honey". On top of those, seven other patterns exist, such as "a x game" and "a x patch", where x can be one of 16 different words, including "new", "WinXP", and the name of any of six major antivirus companies.

In many circumstances, the worm doesn't need the victim to open it in order to run. Instead, it takes advantage of a 12-month-old vulnerability in Microsoft Outlook, known as the Automatic Execution of Embedded MIME Type bug, to open itself automatically on unpatched versions of Outlook.

The malicious program will find any network storage available on the infected PC and copy itself to the remote disk drives using a random file name and a .EXE, .PIF, .COM, .BAT, .SCR or .RAR extension. Occasionally, the file name will include a double extension.

The program will also cull email addresses by searching a host of different file types on the infected PC. Using its own mail program, the worm will send itself off to those email addresses. In addition, it will use the addresses to create a fake "From:" field in the email message, disguising the actual source of the email.

Finally, the worm attempts to disable antivirus software by deleting registry keys, stopping running processes and removing virus-definition files.

It is unclear why Klez.h, or all the variants of the original Klez virus, has been so effective. On the same day that Klez.h was released into the wild, said Shipp, another very similar variant called Klez.i was released. "But we only ever saw two copies of Klez.i, and Klez.h meanwhile has gone bananas. Why one has made it and the other not we don't know. It might be that the virus writer seeded the different versions to different email groups, and one was more active so that virus reached a critical mass."

Another problem with Klez.h is that many people are unaware that their PCs are infected. This is because when Klez sends out emails it forges the sender's address, picking one from the address book on the infected PC. "It sends emails to people in the address book of the infected to PC that appear to come from other people in the address book of the infected PC," said Shipp. "All this creates a hell of a lot of confusion, and everybody who receives the virus is alerting everybody else, but the person who owns the infected PC remains blissfully unaware because everybody is alerting the wrong person. In the past someone would eventually tell you if you had a virus, but you cannot count on this happening any more."

Practically all the copies of Klez.h doing the rounds now are come from home users and small businesses, said Shipp. "There appears to be very few corporates infected."

It took about three days for Klez.h to build up to a significant level, and since then the numbers have been fairly flat. Messagelabs has been intercepting about 20,000 copies of the Klez virus each working day since late April. "SirCam has died off but we're still seeing somewhere between 500 and 1,000 copies a day," said Shipp. "We do have more customers now than when SirCam was out, but even adjusting for that we believe Klez is the more widespread."

Rid your computer of the Klez worm with this free Klez removal utility from ZDNet UK's Downloads section.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.